Adware.flex/Ghokswa Virus keeps coming back after removal with MWB software

[kevinf80]

Run the following please:

Download and save RogueKiller to your Desktop from this link: https://www.fosshub.com/RogueKiller.html/setup.exe Right click setup.exe and select Run as Administrator to start installing RogueKiller. At the next window Checkmark "Install 32 and 64 bit versions, then select "Next" In the next window skip Licence I.D. and Licence Key, select "Next" In the next window make no changes and select "Next" In the next window leave both "Additional Shortcuts" checkmarked, then select "Next" In the next window make no changes and select "Install" RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish. RogueKiller will launch. Accept UAC, then read and accept "User Agreements" In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes select "Open Report" In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply Let me see that log in your reply...   Thank you,   Kevin

[AngelVirus]

rogue log.txt

[kevinf80]

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC.. In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked [Adw.Elex] (X64) HKEY_LOCAL_MACHINE\Software\InterSect Alliance -> Found [PUP.UCBrowser|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Found [PUP.UCBrowser|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowserPID -> Found [Adw.FakeBro] (X86) HKEY_LOCAL_MACHINE\Software\Zoohair -> Found [PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\UCBrowser -> Found [PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\UCBrowser -> Found [PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Firefox -> Found [PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\UCBrowser -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\UCBrowserPID -> Found [Adw.FakeBro] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Zoohair -> Found [PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Firefox -> Found [PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\UCBrowser -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\UCBrowserPID -> Found [Adw.FakeBro] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Zoohair -> Found [PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\UCBrowser -> Found [PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\UCBrowser -> Found [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found [PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found [PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found [PUP.Y2Go|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0AC1758E-C60E-4E27-B95C-DB94B854448C} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\maxaspiner\AppData\Local\MicrosoftHelper\bin\Y2Go.exe|Name=Y2Go| [x] -> Found [PUP.Y2Go|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {84D8E75A-53D1-4735-8C68-F58636FAC715} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\maxaspiner\AppData\Local\MicrosoftHelper\bin\Y2Go.exe|Name=Y2Go| [x] -> Found [PUP.Ghokswa] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C4A8BC46-4254-43FE-BA4D-ED044A34EE34} : v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\Firefox.exe|Name=Firefox browser| [x] -> Found [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found [PUP.UCBrowser] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9} | StubPath : "C:\Program Files (x86)\UCBrowser\Application\6.1.2107.204\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --wow-install-target-path="C:\Program Files (x86)\UCBrowser" [x] -> Found Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.   Post that log...   Next,   Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Let me see those logs in your reply... Thank you, Kevin

[AngelVirus]

I already deleted the 30 threats, I assumed that was implied 

[AngelVirus]

rogue 1.txt

[AngelVirus]

Malwarebytes

www.malwarebytes.com

 

-Log Details-

Scan Date: 5/12/17

Scan Time: 10:11 PM

Logfile: 

Administrator: Yes

 

-Software Information-

Version: 3.0.6.1469

Components Version: 1.0.103

Update Package Version: 1.0.1926

License: Trial

 

-System Information-

OS: Windows 10

CPU: x64

File System: NTFS

User: LAPTOP-3R8KLTI5\maxaspiner

 

-Scan Summary-

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 400856

Time Elapsed: 2 min, 13 sec

 

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

-Scan Details-

Process: 0

(No malicious items detected)

 

Module: 0

(No malicious items detected)

 

Registry Key: 0

(No malicious items detected)

 

Registry Value: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Data Stream: 0

(No malicious items detected)

 

Folder: 0

(No malicious items detected)

 

File: 0

(No malicious items detected)

 

Physical Sector: 0

(No malicious items detected)

 

 

(end)

[kevinf80]

Initial RogueKiller did not imply anything other than found... I never ask that you delete any entries until I have a look at the log...

Quote

¤¤¤ Registry : 30 ¤¤¤
[Adw.Elex] (X64) HKEY_LOCAL_MACHINE\Software\InterSect Alliance -> Found
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Found
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowserPID -> Found
[Adw.FakeBro] (X86) HKEY_LOCAL_MACHINE\Software\Zoohair -> Found
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\UCBrowser -> Found
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\UCBrowser -> Found
[PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Firefox -> Found
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\UCBrowser -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\UCBrowserPID -> Found
[Adw.FakeBro] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Zoohair -> Found
[PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Firefox -> Found
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\UCBrowser -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\UCBrowserPID -> Found
[Adw.FakeBro] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Zoohair -> Found
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\UCBrowser -> Found
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\UCBrowser -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-844019692-2479770628-2193445589-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.bing.com?pc=HRTE -> Found
[PUP.Y2Go|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0AC1758E-C60E-4E27-B95C-DB94B854448C} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\maxaspiner\AppData\Local\MicrosoftHelper\bin\Y2Go.exe|Name=Y2Go| [x] -> Found
[PUP.Y2Go|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {84D8E75A-53D1-4735-8C68-F58636FAC715} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\maxaspiner\AppData\Local\MicrosoftHelper\bin\Y2Go.exe|Name=Y2Go| [x] -> Found
[PUP.Ghokswa] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C4A8BC46-4254-43FE-BA4D-ED044A34EE34} : v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\Firefox.exe|Name=Firefox browser| [x] -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUP.UCBrowser] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9} | StubPath : "C:\Program Files (x86)\UCBrowser\Application\6.1.2107.204\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --wow-install-target-path="C:\Program Files (x86)\UCBrowser" [x] -> Found

 

How does your PC respond now, any issues or concerns...?

[AngelVirus]

sorry I meant I thought it was implied to manually delete them after posting the log. I'll have to wait another day to see if all the malware is gone, but that roguekiller software was very impressive, it found 30 threats where as zenema malware only found 1. 

[kevinf80]

Yes RK is a good tool, problem is it is also capable of finding legitimate entries that look suspicious because they differ from default. If you delete those entries you can end up with a non bootable system.... Only use DELETE when you are 100% sure of entry findings....

We wait another time for your update,

Thank you,

Kevin

[AngelVirus]

ohhh I didn't think of that, I hope I didn't delete anything important. 

[kevinf80]

Not this time AngelVirus, just be careful... If you want to make such deletions in the future always make registry back up first...

[AngelVirus]

Everything was going fine until today when an automatic  MWB scan returned this:

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/22/17
Scan Time: 2:11 AM
Logfile: Adware elex is back.22.05.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1989
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 456031
Time Elapsed: 0 min, 59 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 2
Adware.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{EE6F0BBF-A482-4B99-A16B-D8B464CD3D51}, No Action By User, [2], [400537],1.0.1989
Adware.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{C27F66B0-E2A3-43AF-829B-C74EB0EDFCC5}, No Action By User, [2], [400537],1.0.1989

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

Edited May 22, 2017 by AngelVirus

[kevinf80]

The log shows "no action by user" did you not deal with the found entries...?

[AngelVirus]

I removed them after saving the results of the log. By remove I mean Quarantine.

Edited May 22, 2017 by AngelVirus

[kevinf80]

Those entries in MB log were Firewall Policies/Rules, that may indicate something on your system trying to create a door through the Firewall.... I want you to do the following if possible:

Reset your router, instructons available at the following link: http://setuprouter.com/networking/how-to-reset-your-router/ Follow those instructions very carefully. Next, Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary. Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper   Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run. From the left hand pane select "Flush DNS" From the main interface select the dropdown under "Choose a DNS Server" From the list select either "Google Public DNS" or "Open DNS" From the left hand pane select "Apply DNS" When done re-boot your system.... Next, Scan with HitmanPro In any case don't remove on your own anything that Hitman Pro detects! This scanner is really good for checking, it has however been known for deleting files instead of curing them, in some cases this may render the machine unbootable. Any removals will be done manually after careful analysis of the scan results! Please download HitmanPro by SurfRight and save it to your desktop. Temporary disable your AntiVirus and AntiSpyware protection - instructions here.   Right-click on icon and select Run as Administrator to start the tool. If the program won't run please run it while holding down the left CTRL key until it's loaded! Click on the Next button. You must agree with the terms of EULA (if asked). Check the box beside No, I only want to perform a one-time scan to check this computer. Click on the Next button. The program will start to scan the computer. It would only take several minutes. When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore. If there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro!Navigate to C:\ProgramData\HitmanPro\Logs, open the report and include it it your next reply. Click on the Next button. Click on the Save Log button. Save that file to your desktop. Please include that logfile in your next reply. Don't forget to re-enable your security! Let me see that log from HitmanPro... Thank you, Kevin

[AngelVirus]

oh dear I have been very busy, I did the dns scan, then I checked my MWB. I did a scan. Oh my god over 2000 threats. I'm amazed that only 20 hours later it managed to multiply so much

 

I'm about to do the hitman pro thing, just need to disable lots of stuff.

oh dear.txt

[kevinf80]

Malwarebytes log shows No Action By User....?

[AngelVirus]

The first thing I do is always save the log, after saving the lost I did the usual quarantine.

 

 

I'v now done the Hitman pro scan, and before doing that I even deleted all active anti virus software, I uninstalled, zenama and Mwb. I need to reinstall them but I was not sure how to deactivate reliably.

 

The scan was pretty good, most of it was just app data cookies on google chrome which I knew I could delete without any issues. There were 3 items I ignored to be safe though.

 

 

Something on my system was capable of multiplying itself 2k fold within a day, I don't think anything that was returned in this log had the power to that. I think the malware is still on my computer, this elex software is very annoying.  

 

 

 

 

HitmanPro_20170524_0350.log

HitmanPro_20170524_0353.after pressing next.log

HitmanPro_20170524_0353 end log.log

Edited May 24, 2017 by AngelVirus

[kevinf80]

Upload a File to Virustotal Go to http://www.virustotal.com/   Click the Choose file button Navigate to the file C:\Windows\System32\MicTray64.exe Click the Scan it tab If you get a message saying File has already been analyzed: click Reanalyze file now Copy and paste the results back here please.

[AngelVirus]

Antivirus	Result	Update
GData	Win32.Riskware.Keylogger.R	20170524
Rising	Malware.Undefined!8.C (cloud:opL4D4ydtUD)	20170524
Ad-Aware		20170524
AegisLab		20170524
AhnLab-V3		20170524
Alibaba		20170524
ALYac		20170524
Antiy-AVL		20170524
Arcabit		20170524
Avast		20170524
AVG		20170524
Avira (no cloud)		20170524
AVware		20170524
BitDefender		20170524
Bkav		20170524
CAT-QuickHeal		20170524
ClamAV		20170524
CMC		20170523
Comodo		20170524
CrowdStrike Falcon (ML)		20170130
Cyren		20170524
DrWeb		20170524
Emsisoft		20170524
Endgame		20170515
ESET-NOD32		20170524
F-Prot		20170524
F-Secure		20170524
Fortinet		20170524
Ikarus		20170524
Invincea		20170519
Jiangmin		20170524
K7AntiVirus		20170524
K7GW		20170524
Kaspersky		20170524
Kingsoft		20170524
Malwarebytes		20170524
McAfee		20170524
McAfee-GW-Edition		20170523
Microsoft		20170524
eScan		20170524
NANO-Antivirus		20170524
nProtect		20170524
Palo Alto Networks (Known Signatures)		20170524
Panda		20170524
Qihoo-360		20170524
SentinelOne (Static ML)		20170516
Sophos		20170524
SUPERAntiSpyware		20170524
Symantec		20170524
Symantec Mobile Insight		20170524
Tencent		20170524
TheHacker		20170522
TrendMicro		20170524
TrendMicro-HouseCall		20170524
VBA32		20170524
VIPRE		20170524
ViRobot		20170524
Webroot		20170524
WhiteArmor		20170524
Yandex		20170518
Zillya		20170523
ZoneAlarm by Check Point		20170524
Zoner		20170524

[AngelVirus]

SHA256:	c90c9310c8b2cf0cbd0211a4ee369326c0d627b05a88e7f7b4baba09f85425ea
File name:	MicTray64.exe
Detection ratio:	2 / 60
Analysis date:	2017-05-24 13:25:11 UTC ( 0 minutes ago )

[AngelVirus]

Antivirus scan for c90c9310c8b2cf0cbd0211a4ee369326c0d627b05a88e7f7b4baba09f85425ea at UTC - VirusTotal.pdf

Antivirus scan for c90c9310c8b2cf0cbd0211a4ee369326c0d627b05a88e7f7b4baba09f85425ea at UTC - VirusTotal second page.pdf

[kevinf80]

Thanks for the update AngelVirus, continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Go here and click 'SCAN NOW' under 'ESET Online Scanner' save to your Desktop. Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how Right click on and select "Run as Administrator" In the new Window accept the terms of service In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings" In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan" In the new Window new virus database signatures will download, Do Not Select Stop The Window will progress showing the scan in action.... In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply... If threats are found the following Window will open: Click on "Select All" then "Save to Text file" name and save that file, attach to your reply. Now select "Do not clean" and then close out....   Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...   Thank you,   Kevin....

 

fixlist.txt

[AngelVirus]

I had to run the fix twice because the first fix did not give me a fixlog because I already had a bunch of fixlogs on my desktop, so I deleted those fix logs, then I ran the fix you just sent me again, and I got this. I think it worked. 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 24-05-2017
Ran by maxaspiner (25-05-2017 15:55:09) Run:3
Running from C:\Users\maxaspiner\Desktop
Loaded Profiles: maxaspiner & EliTh & Angel & kaian (Available Profiles: maxaspiner & EliTh & Angel & kaian)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
C:\Windows\System32\MicTray64.exe
C:\WINDOWS\system32\Tasks\Microsoft\Windows\Conexant\MicTray
end

  

*****************

C:\Windows\System32\MicTray64.exe => moved successfully
C:\WINDOWS\system32\Tasks\Microsoft\Windows\Conexant\MicTray => moved successfully

==== End of Fixlog 15:55:09 ====

[kevinf80]

Have also ran ESET scan...?